Fine grained access control with cognito identity and custom claims

Question

I have a cognito identity pool that assigns a principal tag named home. I create credentials with fromCognitoIdentityPool (which ultimately calls AssumeRoleWithIdentity ).

Further, I use these credentials to invoke a lambda named locate which has the following policy for allowing access to only items with primary key same as the value of home:

```
        - Statement:
            - Action: [dynamodb:GetItem]
              Effect: Allow
              Resource: !Sub "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${PlacesTableName}"
              Condition:
                ForAllValues:StringEquals:
                  dynamodb:LeadingKeys:
                    - "${aws:PrincipalTag/home}"

```

However, this condition always fails and I get access denied exception:
`AccessDeniedException: User: arn:aws:sts::...:assumed-role/...-UserRole-.../Locate is not authorized to perform: dynamodb:GetItem on resource: arn:aws:dynamodb:...:table/Places because no identity-based policy allows the dynamodb:GetItem action`

Any ideas?

Answer

The "Principal" in this context is the AWS Lambda execution role. This role determines what actions the Lambda function can perform on AWS resources. The ${aws:PrincipalTag/home} condition means the Lambda can only access specific DynamoDB items if the execution role has a matching home tag value. This setup provides targeted access control based on the execution role's tags. If your Lambda execution role doesn't have that tag it will be denied.

Resources:

https://docs.aws.amazon.com/lambda/latest/dg/attribute-based-access-control.html

Resources:
* https://docs.aws.amazon.com/lambda/latest/dg/attribute-based-access-control.html

Fine grained access control with cognito identity and custom claims

Relevant content